ssh public keys and pam
Jason Gerfen
jason.gerfen at scl.utah.edu
Fri Oct 21 12:18:40 UTC 2005
I am not an expert on SSH, but storing the public key in LDAP would only
allow you to authenticate the machine against the stored key in LDAP. I
am a little bit in the dark as to how you would authenticate the user
this way, unless you had the user enter the passphrase used to create
the public key and use that as the PAM_AUTHTOK value.
Perhaps some more information on it?
Stanislav Sedov wrote:
>On Thu, Oct 20, 2005 at 09:25:42PM +0000, Daniel Jacober wrote:
>
>
>>-----BEGIN PGP SIGNED MESSAGE-----
>>Hash: SHA1
>>
>>Jason
>>
>>Yes that's exactly what I would like to do.
>>I would like to store the SSH public keys in an LDAP - Directory
>>instead of storing them locally.
>>Then I would like to authenticate against those keys. This way I could
>>control access to all our servers via LDAP.
>>
>>I first tried to hack pam_ldap - module but I read about issues in a
>>newsgroup
>>
>>http://www.opensolaris.org/jive/thread.jspa?threadID=614&tstart=15
>>
>>Therefore I tried to make my own module. But I can't find a way to get
>>the public key into the pam-module. All I get is the password after
>>SSH pubkey authentication fails.
>>
>>Any hint on this subject is greatly appreciated.
>>
>>Regards Daniel
>>
>>
>
>It seems that SSH can't fetch keys using PAM or LDAP. Furthermore,
>SSHd don't use PAM in case if user is authentificating using
>public keys.
>
>You must patch SSHd to fetch keys from LDAP, or write PAM module
>that will communicate with ssh client and verify keys manually.
>Probably, this can't be achived, because you must initiate
>key exchange procedure with client.
>
>_______________________________________________
>Pam-list mailing list
>Pam-list at redhat.com
>https://www.redhat.com/mailman/listinfo/pam-list
>
>
--
Jason Gerfen
Student Computing Labs, University Of Utah
jason.gerfen at scl.utah.edu
J. Willard Marriott Library
295 S 1500 E, Salt Lake City, UT 84112-0860
801-585-9810
"My girlfriend threated to
leave me if I went boarding...
I will miss her."
~ DIATRIBE aka FBITKK
More information about the Pam-list
mailing list